From a42cb0c8e17f1a126a10cf99062765199dcbac61 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Thu, 31 Oct 2019 18:10:50 +0000 Subject: [PATCH] daemon: Refuse to disable FIPS mode, or enable on new RHCOS Our new thought around this is that really FIPS should be a "day 1" operation, and we don't want to make it really easy to undo. See also https://github.com/openshift/installer/pull/2594 Anyone who wants to force this can change the MC flag, then `oc debug node` and run the disable command by hand, then reboot. Our MachineConfig merge semantics should make it hard for this to happen unless the admin explicitly deletes the installer-generated MC, but still. Since we don't support it and don't want customers to do it by accident, let's disable it and also stop wasting compute hours testing it. Further, a pending RHCOS change will delete the FIPS command entirely and move it into the initramfs. Cleanly handle that case by also refusing to enable FIPS "day 2" - what we expect to be the future. But we still support enabling day 2 for testing until that RHCOS change lands. --- pkg/daemon/update.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pkg/daemon/update.go b/pkg/daemon/update.go index 0328b8e633..fee8a52d12 100644 --- a/pkg/daemon/update.go +++ b/pkg/daemon/update.go @@ -328,6 +328,23 @@ func (dn *Daemon) updateFIPS(current, desired *mcfgv1.MachineConfig) error { if dn.OperatingSystem != machineConfigDaemonOSRHCOS { return errors.New("Updating FIPS on non-RHCOS nodes is not supported") } + // Our new thought around this is that really FIPS should be a "day 1" + // operation, and we don't want to make it really easy to undo. + // See also https://github.com/openshift/installer/pull/2594 + // Anyone who wants to force this can change the MC flag, then + // `oc debug node` and run the disable command by hand, then reboot. + if current.Spec.FIPS && !desired.Spec.FIPS { + return errors.New("Refusing to undo FIPS mode") + } + // At this point, we must be trying to enable FIPS, since + // current != desired && desired per conditionals above + if _, err := os.Stat(fipsCommand); err != nil { + if os.IsNotExist(err) { + return errors.New("Cannot enable FIPS after firstboot") + } + return errors.Wrapf(err, "Checking FIPS") + } + arg := "enable" if !desired.Spec.FIPS { arg = "disable"